Monitoring apparatus and method therefor
Abstract
A monitoring apparatus for detection of a malicious attack in a communications network comprises a pattern matching engine ( 406 ), a data store ( 408 ) and an alert generator ( 410, 412 ). The pattern matching engine ( 406 ) is arranged to receive a bit stream and identify a characteristic of a malicious attack from at least one datagram represented by at least part of the bit stream. The data store ( 408 ) is operably coupled to the pattern matching engine and the data store ( 408 ) is arranged to retain identification data to enable the pattern matching engine to identify the characteristic of the malicious attack. The alert generator ( 410, 412 ) is arranged to generate an alert in response to an identification of the characteristic of the malicious attack. The data store ( 408 ) is remotely updatable.
Claims
exact text as granted — not AI-modified1 . A monitoring apparatus for detection of a malicious attack in a communications network, the apparatus comprising:
a pattern matching engine arranged to receive a bit stream and identify a characteristic of a malicious attack from at least one datagram represented by at least part of the bit stream; a data store operably coupled to the pattern matching engine, the data store being arranged to retain identification data to enable the pattern matching engine to identify the characteristic of the malicious attack; and an alert generator arranged to generate an alert in response to an identification of the characteristic of the malicious attack; wherein the data store is remotely updatable.
2 . An apparatus as claimed in claim 1 , further comprising a data updating entity operably coupled to the data store and arranged to receive a plurality of datagrams comprising replacement identification data.
3 . An apparatus as claimed in claim 2 , wherein the data updating entity is arranged to store the replacement identification data in place of the identification data.
4 . An apparatus as claimed in claim 2 , wherein the pattern matching engine is arranged to cease identifying the characteristic of the malicious attack in response to receipt of a datagram of the plurality of datagrams comprising the replacement identification data.
5 . An apparatus as claimed in claim 4 , wherein the pattern matching engine is arranged to revert to identifying the characteristic of the malicious attack upon confirmed replacement of the identification data with the replacement identification data.
6 . An apparatus as claimed in claim 1 , further comprising:
a sub-channel injector entity for supporting a sub-channel within a main channel, the main channel supporting receipt of the bit stream.
7 . An apparatus as claimed in claim 6 , wherein the sub-channel is arranged to be used for communication of acknowledgement data responsive to a datagram comprising a part of the replacement data.
8 . An apparatus as claimed in claim 7 , wherein the data updating entity is operably coupled to the sub-channel injector entity and is arranged to generate the acknowledgement data and communicate the acknowledgement data to the sub-channel injector entity.
9 . A processing resource for a network element, the resource comprising the monitoring apparatus as claimed in claim 1 .
10 . An interface card for a network element comprising the processing resource as claimed in claim 9 .
11 . A communications system comprising the monitoring apparatus as claimed in claim 1 .
12 . A method of detecting a malicious attack in a communications network, the method comprising:
receiving a bit stream; identifying a characteristic of a malicious attack from at least one datagram represented by at least part of the bit stream; accessing identification data stored by a data store to enable identification of the characteristic of the malicious attack; and generating an alert in response to an identification of the characteristic of the malicious attack; and recognising a received datagram containing replacement identification data indicative of a need to update the data store.
13 . A monitoring apparatus for detection of a malicious attack in a communications network, the apparatus comprising:
a pattern matching engine arranged to receive a bit stream and identify a characteristic of a malicious attack from at least one datagram represented by at least part of the bit stream; an alert generator arranged to generate an alert in response to an identification of the characteristic of the malicious attack; and an alert processing entity operably coupled to the alert generator, the alert processing entity being arranged to receive the alert constituting alert information and limit communication of the alert information for receipt by an alert information collection unit.
14 . An apparatus as claimed in claim 13 , wherein the alert information collection unit is not collocated with the alert processing entity within the topology of the communications network.
15 . An apparatus as claimed in claim 13 , wherein the alert processing entity is arranged to generate a digest of alert information received in respect of a plurality of alerts generated by the alert generator.
16 . An apparatus as claimed in claim 15 , wherein the digest comprises one or more of the following parameters: a used port number, a duration of a plurality of packets constituting the malicious attack, an identity of a link being monitored, location of the monitoring apparatus in the communications network, data identifying a type of the characteristic detected, a rate of receipt of datagrams containing a same type of the characteristic detected, a number of sources of datagrams containing the characteristic detected, a number of destinations of datagrams containing the characteristic detected, and/or datagram length.
17 . An apparatus as claimed in claim 14 , wherein the alert processing unit is arranged to communicate the alert information in response to receipt of multiple receipts of the alert exceeding a predetermined threshold.
18 . An apparatus as claimed in claim 13 , further comprising:
a sub-channel injector entity for supporting a sub-channel within a main channel, the main channel supporting receipt of the bit stream.
19 . An apparatus as claimed in claim 18 , wherein the sub-channel injector is operably coupled to the alert processing entity, the alert processing entity being arranged to use the sub-channel to communicate the alert information.
20 . A processing resource for a network element, the resource comprising the monitoring apparatus as claimed in claim 13 .
21 . An interface card for a network element comprising the processing resource as claimed in claim 20 .
22 . A communications system comprising the monitoring apparatus as claimed in claim 13 , the system further comprising:
an alert information collection unit remotely located from the monitoring apparatus at a monitoring station; wherein the monitoring station is arranged to communicate instruction data to the monitoring apparatus in response to receipt of the alert information.
23 . A system as claimed in claim 22 , wherein the instruction data identifies an action to be taken by the monitoring apparatus in relation to the at least one datagram baring the characteristic of the malicious attack.
24 . A system as claimed in claim 23 , wherein the action at least mitigates and/or neutralises an intended effect of the malicious attack.
25 . A system as claimed in claim 22 , wherein the response to the receipt of the alert information is automated.
26 . A system as claimed in claim 22 , wherein the monitoring station is arranged to communicate the alert information to a user, the monitoring station providing the user with freedom to select and initiate communication of the instruction data.
27 . A method of detecting a malicious attack in a communications network, the method comprising:
receiving a bit stream; identifying a characteristic of a malicious attack from at least one datagram represented by at least part of the bit stream; generating an alert in response to an identification of the characteristic of the malicious attack; recognising a received datagram containing replacement identification data indicative of a need to update the data store; and processing the alert constituting alert information and limiting communication of the alert information for receipt by an alert information collection unit.
28 . A computer program element embodied on a computer readable medium, comprising computer program code means to make a computer execute the method of claim 12 .
29 . A computer program code element embodied on a computer readable medium, comprising computer program code means to make a computer execute the method of claim 27 .
30 . An apparatus as claimed in claim 13 , wherein the alert information causes the monitoring apparatus to take an action, the action at least mitigating and/or neutralising an intended effect of the malicious attack.
31 . An apparatus as claimed in claim 13 , wherein the alert information causes the monitoring apparatus to drop a packet relating to the malicious attack.Join the waitlist — get patent alerts
Track US2008301810A1 — get alerts on status changes and closely related new filings.
We store only your email — no account needed. See our privacy policy.